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ABSTRACT: 

A data protection method is used for protecting data recorded on a removable storage medium, 
such as an optical magnetic disk. The method includes the steps of authorizing to read and 
access a part of a directoiy area on a storage medium without specifying a password given to the 
removable storage medium. When accessing the removable storage medium, a user is required 
to input a password, the inputted password is compared with a predetermined password, and if 
not coincident, access is inhibited, and further, if coincident, it is permitted to access only one 
part of an area of the removable storage medium. 
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(54) A data protection mettiod for a removable storage medium and a storage device using ttie 
same 



(57) A data protection method is used for protecting 
data recorded on a removable storage medium, such as 
an optical magnetic disk The method includes the steps 
of authorizing to read and access a part of a directory 
area on a storage medium without specifying a pass- 
word given to the removable storage medium. When 
accessing the removable storage medium, a user is 
required to input a password, the inputted password is 
compared with a predetermined password, and if not 
coincident, access is inhibited, and further, if coincident, 
it is permitted to access only one part of an area of the 
removable storage medium. 
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Description 

BACKGROUND OF THE INVENTION 

5 Held Of the Invention 

[0001 ] The present Invention relates to a method for concealing and protecting data by enrptoying a password to read 
and overwrite the data recorded in a removable storage medium provided in a storage device, which is connected to an 
infomiation processor, such as a computer, a word processor and an electronic book apparatus, under a control from 
10 the storage device or the information processor, and the present invention also relates to a storage device using the 
method. 

DesCTiption of the Related Art 

75 [0002] There is a case where information should not be accessed by other persons that an original holder or admin- 
istrator, because such the information relates to a personal privacy or secret information on business recorded in a stor- 
age device connected to an information processor, such as a computer and a word processor. 
[0003] However. It is almost easy to access the storage device of the information processor so as to retrieve data and 
to copy bulk data. This brings problems such that important data can be easily accessed and modified. 

20 [0004] To avoki such prot)lem, it has been proposed that a password is given to a storage device, and then, a user 
must input the password when accessing data on the storage device. Then, if the inputted password does not coincide 
with a correct password given to the staage device, the user cannot be authorized to access the storage device. 
[0005] Various kinds of such structures and methods have been proposed, for example, in Japanese laid open patent 
applications No. 58-178456 (first conventional method), 60-189531 (second conventional metiiod) and 4-192027 (third 

25 conventional method). 

[0006] In the first conventional method, a basic structure Is disclosed, in which a password is recorded in a magnetic 
disk to allow the access to the disk only when the password is coincident with an inputted password. 
[0007] In the second conventional method, the structure is intended to protect contents stored in. particularly, an 
externa] storage medium having a large storage capacity. However, a password given in a storage medium is checked 
30 with a password that supplied from an upper level device, and if both the passwords coincide, a user can access the 
storage medium, similarly to the first conventional method. 

[0008] These conventional methods are applicable not only to a storage device, such as a fixed disk having a large 
storage capacity with a volume table of contents (VTOC), but also to various kinds of removable storage mediums, such 
as storage devices with volume administrative information and an optical magnetic disk. 
35 [0009] Further. It is assumed in the third conventional method that one removable storage medium can be accessed 
^ from multiple persons. When one rerTX)vat)le storage medium is divided into a plurality of logical partitions, a password 
is specified in each of the logical partitions. Therefore, it is possible to provide an exclusive partition for each user by 
inputting a password. 

[001 0] However, the following problems are brought in either of the above-described conventional methods: 
40 [OQ1 1] That is, supposing a user uses plural removable storage mediums and then the user forgets in which remov- 
able storage medium a specified documerrt is stored, the user must access all storage mediums rarxlomly to find out 
which storage medium stores tiie specified document. 

[001 2] However, when a password is set to a storage medium, i.e., a disK according to the above-desaibed conven- 
tional methods, tiie user should input the password every time he accesses tiie disk That brings complicated operation 
45 for the user. Therefore, there is a possibility tiiat the user wants to avoid tiie troublesome and then sets only one pass- 
word for almost all disks, without differing tiie password in each disk. 

[0013] Moreover, it should t>e considered tiiat a situation where a user forgets which storage medium provided in a 
removable storage device has stored a specified document may frequently occur. This is because such tiie information 
itself that a certain storage medium "or stores a specified document "A", such as a diary, should be concealed. 

so [0014] To avoid the above-described situation or condition, the user may put tiie label titie such as the "secret busi- 
ness documents" on a storage medium "01 for example. This gives to tiie otiiers a chance to illegally access data, and 
then, the secret may leak out. Witii tiie same reason, it is not suitable administration to print out a list of contents in each 
disk. Therefore, disk administi-ation may become to be dependent on user's memories or uses easy keywords. 
[001 5] Further, in an otiier mode, ttiere is a case where one user instructs tiie other person to find and take out a disK 

55 on which business information is recorded due to urgent requirement on ordinary business. In this case, a password is 
not informed to tiie instructed person, and therefore, the pers n cannot know which disk he should take out 
[0016] Actually, the user should inform the password t tiie instructed person, or tiie disk administration is operated 
without any password in consideration with such tiie condition. In tiie foregoing case, tiie number of persons having 
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data Is encrypted and recorded by the first password in the other part area of the storage medium. Then, the second 
passvA/ord is encrypted by the first passivord and the second password is recorded in a specific reserved area of the 
removable storage medium. 

[0034] The one part area of the removable storage medium is encrypted and decoded by the second password, and 

5 other areas are encrypted and decoded by the first password. 

[0035] Thereby, when the password specified before accessing the removable storage medium is authentic as a first 
password, rt becomes possible to access the whole of the removable storage medium by decoding the second pass- 
word by the first password. Further, rf the password is not authentic as the first passwad, it becomes possible to read 
only the one part area of the removable storage medium by employing the password as the second password. 

w [0036] In each of the above-described modes, one part of the removable storage medium to which read access is 
permitted includes a label given to the removable storage medium, or all of or a part of the directory area as adminis- 
trative information. 

[0037] Additionally, to determine the label given to the atxTve-described removable storage medium or the part of the 
directory area, the present invention provides the following methods: a method for determining from a capacity of the 
75 removable storage medium and a logical format type considered, arrd a method for writing a range specification tsy the 
use of a start logical block address and an end logical block address in a specific reserved area of the removable stor- 
age medium in advance, or a method for identifying an administrative area including a label or directory by an interface 
section for kientifying a logical fbnuat of the storage medium, such as a device driver. 

[0038] With the structure of the present invention, even if the password given to the storage medium is not specified, 
20 the user is permitted to access one part of the directory area on the storage medium for reading out data from the one 
part. 

[0039] Therefore, it becomes possible to know an outline of information recorded in the storage medium without com- 
plicating password administration, or making a security hole, i.e., without giving a weak point and loophole on security 
function. Thereby, it becomes possible to avoid careless accessing to secret information. 
25 [0040] For example, it is possible to set a same password for reading out administrative information to all disks, i.e., 
storage mediums and each different password to each disk for accessing data in actual. This realizes that a retrieve to 
know which disk stores the required file can be executed by exchanging disks actually. 

[0041 ] For example, when a user instructs to an other person to deliver a disk in which a file named as "aa" is stored, 
the contents of the file "aa" cannot be accessed, and therefore, the possibility of leaking secret information can be 
30 reduced. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0042] 

55 

' Fig. 1 is a block diagram of one embodiment of an information processor including an optical magnetic disk appa- 
ratus as one emtxxjiment of a storage device according to the present invention. 

Fig. 2 is an explanatory diagram of a structural layout of an optical magnetic disk storage medium, illustrating only 
a data zone of the optical magnetic disk storage medium. 
40 Fig. 3 shows an operational flow chart of a first embodiment according to the present invention in an information 
processor including a storage device employing a removable storage medium, such as an optical magnetic disk 
Fig. 4 shows a flow chart for setting an authorized access range corresponding to the table 1 when a storage 
medium is inserted or a power of a device is ON. 

Fig. 5 is a flow chart for explaining registration of a disk password in a first example for the second embodiment. 
45 Fig. 6 is an operational flow chart of the first example for the second embodiment. 

Fig. 7 is a flow chart for explaining registration of a disk password in a second example for the second embodiment. 

Fig. 8 is an operational flow chart when controlling to read in the second example for the second embodiment. 

Fig. 9 is an operational flow chart when controlling to write in the second example for the second embodiment. 

Fig. 10 is an operational flow chart for explaining a control when employing two passwords in the third embodiment. 
50 Fig. 11 is a first operational flow chart when a medium is inserted and a power is supplied corresponding to a table 

7 in the third embodiment Rg. 12 is a second operational flow chart when 

a medium is inserted and a power is supplied corresponding to a table 7 in the tiiird embodiment 

Fig. 13 is a third operational flaw chart when a medium is inserted and a power is supplied con-esponding to a table 

7 in the third embodiment 

55 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

[0043] Throughout the following descriptions, the same reference numerals are used to denot and identify conre- 
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known the password of the removable storage mecGum will Inaease unintentionally, and therefore, it becomes a prob- 
lem from the view of the security. On the contrary, in the later case, a security function can not be fundamentally 
employed. 

[0017] On the other hand, a library storage device has been employed for automatically administrating nnjltiple stor- 
s age mediums. It is new considered to treat a storage medium protected by a password in such the storage devica In 
this case, a label or a serial number employed on an individual storage medium to specify each of the muK^le storage 
mediums, which the library storage device administrates. Therefore, it is necessary that the library storage device can 
read out the label on each storage device. 

[0018] However, if a password is specified to refer such the label or the substation, it is general that the same pass- 
w word is specified to all disks that the library device administrates. In such the mode, once a password is specified to one 
disk, access all storage mediums would be permitted. Viewing from the point of system security, this situation is not 
acceptable. 

[001 9] As described above, situations where disks are frequerrtiy exchanged arxJ are referred occurs in a removable 
storage device. Therefore, when enploying either of the conventional methods, it is inclined to form a careless admin- 
75 istration. such that only one password is specified for alnxsst all storage mediums. More particularly, the problem occurs 
if either of the above-described conventional method is applied to multiple removable storage mediums. As a mass-stor- 
age medium has larger capacity much information illegally referred will increase, and tfierefore. a serious problem will 
occur. 

20 SUMWIARY OF THE INVENTION 

[0020] Accordingly, it is an object of the present invention to provide a method for concealing and protecting data in 
a removable storage medium, such as an optical magnetic disk, to overcome the above-described shortage in the con- 
ventional methods, and a storage device using the same. 
25 [0021] To attain the above<iescribed object, the present applicant had noticed the following point: 

[0022] In the conventional methods, accessing a whole storage medium is permitted even when accessing only one 
part of information, such as administration information, i.e.. information of a recorded f Oe name. That causes the above- 
described problem for concealing and protecting data. 

[0023] Further, administration infbnnation on a storage medium is generally written on a specified location or com- 
30 paratively collective area. Or. in many cases, the administration information on tiie storage medium can be restricted in 
a comparatively small area. 

[0024] Therefore, the present invention has a feature for comparing an Inputted password with a predetermined pass- 
word when accessing a removable storage medium, inhibiting access to a whole removable storage medium if both of 
the passwords are inconsistent, but permitting only to read and access only a part of the removable storage medium 

35 including an administration area by employing a certain means. 

[0025] In a mode of the present invention, a password for permitting read access to only a restricted area is provided 
_ separately from a password, which is required to access the whole removable storage medium. 
[0026] For instance, an optical magnetic disk, which is prescribed in ISO-13963, is managed by dividing 10 areas 
called as bands 0 to 9. Two passwords are provided to tfie optical magnetic disk. When tiie first password coincides, a 

40 user is allowed to access all of the bands 0 to 9. and when the second password coincides, the user is allowed to 
access only the band 0. on which the administration information is recorded. 

[0027] As file system administration information is generally written on the band 0 in some file systems, the user can- 
not access tiie whole disK but he can access only tiie file system administrative information as tiie result in this mode. 
[0028] Further, in anotiier mode of tiie present invention, a password for controlling access to a removable storage 
45 medium is set in advance in an exclusive area, of the renwvable storage medium, which a file system does not admin- 
istrate. 

[0029] When a password spedfied by a command sent from a conputer coincides with a predetermined password 
for permitting a user to write and read, the user can write and read to the whole removable storage medium on forward. 
[0030] Additionally, when the password specified by a command coincides with a password for permitting the user to 

50 read a part of the removable storage medium, the user can read out data only within a permitted range. 

[0031 ] Furtiiermore. in one mode of the present invention, one part area of the removable storage medium is recorded 
witfi a plain text, so that more utility can be obtained in a data protection method for removable storage medium by 
which data Is encrypted and stored in the removable storage medium, a password is verified, and the data encryption 
is decoded when the password is authentic. 

55 [0032] When tiie password is determined not authentic by tiie verification, it becomes possible to access and read 
only one area of the removable st rage medium where the plain text is recorded. 

[0033] As another mode of the structure employing tiie data encryption, first and second passwords are employed. In 
other words, data is encrypted and recorded by the second password in one part area of the storage medium, and the 
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spending or identical conrtponents. 

[0044] Rg. 1 1s a block diagram of one embodiment of an information processor including an optical magnetic disk 
apparatus as one embodiment of a storage device applying the present invention. Although an magnetic disk apparatus 
will be explained as an embodiment, the present invention is not restricted to the optical magnetic disk apparatus. It 
5 should be of course understood that an magnetic disk apparatus or an optical disk apparatus for only reading out data 
is also applicable to the present invention. 

[0045] Returning to Fig. 1. an optical magnetic disk apparatus 1 includes a system controller 10 for writing to and 
reading out from an optical magnetic disk used as a storage medium, and further, a control circuit section including an 
optical magnetic disk controller (ODC) 1 1 having a firmware where a software is stored to execute a method according 
10 to the present invention. 

[0046] A control circuit section includes a MPU 12 for controlling storage device 1 in total, a D-RAM 13 which is a 
buffer memory for reading or writing data, a DSP 14 for performing arithmetic conversion of reading and writing data, 
an amplifier 16 for reading data, an AGC amplifier 17. a power amplifier 18 for driving a head and a disk rotation motor 
controller 19. 

15 [0047] The system controller 10 includes a head sensor 100, a laser diode 101 for writing, driven by the amplifier 15, 
and a detector 102 for reading data, connected to the amplifier 16. 

[0048] Additionally, tfie system controller 10 includes a focus actuator 103. a track actuator 104. a disk taking out 
(eject) motor 105 and a voice control motor 106 for driving a head, which are controlled by tiie power amplifier 18. and 
further, a spindle motor 107 controlled by the motor cortroller 19 for rotating disk. 
20 [0049] On tiie ottier hand, reading and writing data is controlled by a SCSI command sent from a conrputer 2 to the 
optical magnetic disk controller (ODC) 1 1 according to an operator's instruction inputted from a key board 3. A display 
device 4 for displaying writing or reading data is connected to tiie computer 2. 

[0050] Optical magnetic disk controller (ODC) 1 1 including a firmware formed by a flush ROM has a function for ana- 
lyzing a SCSI command sent from computer 2. It further has a function for controlling the system controller 10 to write 
25 and read data according to tiie SCSI command operated along with the MPU 1 2. 

[0051 ] It is of course understood that the present invention is not restricted to a SCSI command group, but is applica- 
ble even to other command groups, such as ATA, ATAPI or SASI. 

[0052] In here, a mechanical layout of a removable storage medium including an optical magnetic disk will be now 
considered. Rg. 2 illustrates only a data zone of a removable storage medium. In tiie fonward and backward sections of 
30 the data zone shown in Rg. 2, there is a test zone, not shown in Rg. 2. and an area or a reserved area where a firmware 
in a storage device administrates tiie disk and which Is not used as an area for writing user data, along the radius direc- 
tion of tiie removable storage medium. 

[0053] The data zone of a removable storage medium shown in Rg. 2 includes a file allocation table (FAT) I for admin- 
istrating an area In each cluster, which is a unit for writing data, a root directory II for showing a name or an attribute of 

35 a file or a directory, or a starting cluster nuntier, and a data area III where contents of the file is recorded. 
[0054] It is possible to calculate an logical block address from a cluster number by simple arithmetic. 
[0055] Fig. 3 is an operational flow chart of the first embodiment according to tiie present invention in an information 
processor including storage device 1 of a removable storage medium, such as an optical magnetic disk. A user can 
access only directory information stored in tiie root directory II shown in Fig, 2 by specifying one part including a volume 

40 label or directory information, i.e.. an administration area of the removable storage medium, within a logical block 
address (LBA) as an authorized access range. 

[0056] As information of a file name, a directory to which a file is belonging and a start address is written in a root 
directory II. it is possible for user to easily find a location where a required file exists. 

[0057] At first, a reading request command is sent from the computer 2 to the optical magnetic disk controller (ODC) 
45 1 1 including a firmware of tiie storage device 1 employing a removable storage medium according to a SCSI command 
(STEP SI). 

[0058] TTiereby. the optical magnetic disk controller (0DC)1 1 judges whetiier or not an optical magnetic disk type stor- 
age medium of which writing/reading is contiolled by the system controller 10 is protected by a password (STEP S2). 
In here, tiie medium Is not protected by a password, it is possible to read out from and write to a disk according to a 

so read or write processing routine (STEP S7). 

[0059] On tiie otiier hand, when It is registered in optical magnetic disk controller (ODC) 1 1 tiiat the appropriate stor- 
age medium is protected by a password, i.e., a password is registered to tiie optical magnetic disk confroller 1 1 in 
advance, the optical magnetic disk controller (ODC) 1 1 judges whetiier or not the password specified by a user coin- 
cides with the registered password (STEP S3). 

55 [0060] In tiiis example, tiie judgment whether or not a password coincides witfi the registered one is to determine 
autfienticity of tiie password Accordingly, the user can verify a password specified by the user by performing a certain 
operation to the specified password and recording the password performed with tiie certain operation in advance and 
comparing it witfi a password, which is specified by the computer 2 and performed with tiie certain operation in the 
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same way. instead of comparing two passwords, directly. 

[0061] The password specified by the user is inputted from the keytx>ard 3 before an access request is sent from the 
computer 2. 

[0062] In the above-descn'bed explanation, the optical magnetic disk controller (ODC) 1 1 includes a function for inter- 
5 facing to the computer 2. and the computer 2 Includes a function for interfacing to the optical magnetic disk controller 
(ODC) 11. 

[0063] Therefore, it is possible to configure so as to execute the judgment whether or not the password specified by 
tiie user coincides with the registered one in the interface section of tiie computer 2. 

[0064] Then, when the passwords coincide with each otiier, rt becomes possible to execute processing for reading 
10 from or writing to a whole disk (STEP S7). If the both passwords do not coincide, it is judged whether or not the access 
request is for writing (STEP S4). If it is for writing, an enror is notified to the computer 2 as an access emor The computer 
2, for example, displays an error message on the display device 4, to inform to tiie user according to an error processing 
(STEP S5). 

If not. in other word, the request is for reading, a specific area included in the above-desaibed access request com- 
15 mand sent from the computer 2 is diecked. Then, it is checked whether or not the requested specific area is within an 
autfiorized range for reading access (STEP S6). 

[0065] If the requested specific area is not within the autiiorized range for reading access, an en'or is notified to the 
computer 2, similarly to the writing access request (STEP S5}. If tiie requested specific area is within tiie autiiorized 
range for reading access, the user can read data in read or write processing routine (STEP S7). 
20 [0066] In other word, it is possible only to read data within tiie authorized range for reading access, regardless of coin- 
cidence or incoincidence of the botii passwords in tiie embodiment according to an operational flow chart shown in Fig. 
3. 

[0067] In here, the authorized range for reading access can be specified by a range of a logical block address (LBA) 
in a removable storage medium as an embodiment Additionally, tiie range of LBA for authorizing tiie reading access is 
25 specified so as to include a root directory II to which information of the name and attribute of the file are written as 
explained in accompanying to the above-described Fig. 2. 

[0068] In here, tiie LBA range including tiie root directory II varies according to capacity of the removable storage 
medium. For example, when a storage medium is inserted into the storage device 1 or the storage medium has been 
inserted on supplying a power for the information processor, tiie range is set according to tiie inserted storage medium 
30 so as to obtain a suitable range for the storage medium. 

[0069] In otiier word, as shown in the flow chart of Rg. 4. when inserting a removable storage medium to the storage 
device 1 or supplying a power for an information processor (STEP SOI), a type of the inserted storage medium is 
checked, and settings are performed according to the type (STEP S02). 

[0070] Then, an authorized range for access is determined according to a relationship indicated in a table 1 . which is 
35 -v.an example table for determining the authorized range for reading access (when a sector lengtti is 51 2 bytes) 

[TABLE 1] 

40 



45 



SO 



CAPACITY OF MEDIUM 
(MB) 


spc 


AUTHORIZED RANGE FOR ACCESS 
(LEAST UPPER BOUND OF LBA) 


Less than 128 MB 


4 


cap 


Less than 256 MB 


8 


Loss than 512 MB 


1 6 


X 2 + 32 + 32 

spc X 12 8 


Mora than 512 


3 2 



* cap means total capacity of a storage medium in a 1024 byte unit 

* spc means a sector number in a cluster 

55 

[0071] Actually, a logical fonnat is estimated within a suitabi range, and then, the LBA range for authorizing access 
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is calculated according to the capacity of the storage medium. In this example, super floppy and hard disk format types 
are considered as a logical format type typically used in a personal computer. Then, tt is assumed that FAT 16. Le., a 
file allocation table for 16 bits, is employed in a segment format type, and the authorized range for access is set from 
LBA=0 to a least upper bound of L6A illustrated in the table 1 according to the capacity of the storage medium. 
5 [0072] In other words, the authorized range for access can be specified by start and end logical block addresses. 
[0073] In the method for dedding the authorized range for access based on the capacity of the storag medium, when 
referring to examples of the formats written on cfisks by the super floppy format type and the hard disk format type, the 
LBA range for authorizing access does not always coincide with an area in which directory information is written by the 
both fomiat types (refer to II of Fig. 2). 

TO 



[TABLES] 



Start LBN 


SECTOR NO. 


For USE 


SFPD 


HDD 






null 


0 


1 


Boot Code 


null 


1 


31 through 63 


Idle for boundary control 


0 


32-64 


1 


Resented area for boot code 


1 




nsc*2/(spc*ssize) 


FAT 






nsc*2/(spc*ssi2e) 


FAT (Resen/ed) 






512*32/ssize 


Root directory 


* SFPD - Super Floppy format type 

* HDD - Hard Disk format type 

* nsc - Total number of sectors in a storage medium 

* spc - A number of sector per a cluster (refer to Table 1) 

* ssize " Sector size in a bite unit 



30 

[0074] However, when an optical magnetic disk of which a logical format is a super f bppy or hard disk format type, 
which is frequently used in general, is enployed as a storage medium, for exanrple. an area having at most several ten 
KBs other than the area where directory information is written is included for spare in the LBA range for authorizing to 
35 read. 

[0075] Even if that extent of data in a file data area other than the directory information is read out, this does not 
become a problem in general. If this is a problem, a file readable for other persons can be written to a header section 
of a data area III when initializing the disk to avoid this problem. This makes it possible to prevent from reading out the 
data that requires secrecy with the directory information. 
40 [0076] For example, it is possible to prevent from reading out secret data by writing in a header section, an OS, appli- 
cation program, font data, and a directory, which are available on the market or data opened to public through an inter- 
personal computer communication. 

[0077] A case where the storage device 1 handles a logical disk format will be considered in here. It is also possible 
to prepare a mechanism for making it invalid to calculate the LBA range for authorizing access according to capacity of 

45 the storage medium by a switch provided on the storage device 1 . 

[0078] When the LAB range becomes invalid, the mechanism for authorizing access only to the directory area regard- 
less the logical format cannot be employed. Accessing not only a directory area but also data area must be allowed in 
order to read out the directory area. In other words, the user can read out the whole storage medium, or not 
[0079] Access control employing data encryption will be new considered. In this method, the access control method 

50 according to the present invention can be implemented by employing a device driver, i.e.. a software, in the storage 
device 1 having no special mechanism for access control, such as an existing floppy disk device or optical disk device. 
[0080] At first, data recorded in a disk are all encrypted for access control to the whole storage medium, i.e., a disk. 
Various kinds of data encryption methods can be employed as a data encryption method, not restricted to the emtxxj- 
iments of the present invention. After inserting a disk into the storage device 1 , a user sets a password, i.e., a disk pass- 

55 word, in each disk until accessing to the disk at first This password is used as a key or a part of Hie key on the data 
encryption. 

[0081] Therefore, when accessing data for next time, data can be correctly decoded if the user inputs a password and 
the inputted password is matched, and therefore, the user can con-ectly access the data. H the password the user spec- 
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ifies is not matched, the following two methods can be considered. 

[0082] A first method to be considered is to decode the data as it is. regaidless of the result from the password veri- 
fication. Because the read out data is abnormal, the user can now understand that the password is not con-ect. As the 
result, the user cannot obtain normal data, and in other words, the user cannot access the data. In a second method to 
5 be considered, if it ^ detected by some means that the password is not correct, the user Is inhbited to access the data 
in all. 

[0083] The above-described two methods to be considered will be further explained in accompanying with Figs. 5 and 
6. In Rg. 5, a user inputs a disk password at first (STEP S10). The inputted password is stored in a memory that a disk 
driver administrates (STEP S1 1), 
10 [0084] When realizing as a storage device, the disk password the user inputs is transmitted to the storage device, and 
the storage device stores the password in a builtH'n memory, for example, the D-RAM 13 shown in Fig. 1 (this step Is 
conesponding to the step S11). 

[0085] Then, a reading access request is transmitted from the computer 2 to the storage device 1 according to. for 
example, a SCSI command (STEP 820), and the data is read out. Then, the disk driver judges whether or not the disk 
15 password is already registered to the disk to be accessed or the disk is already protected (STEP S21]. Further, when 
realizing as a storage device, this judgment may be performed by a firmware, for example, of the optical magnetic con- 
trailer (ODC) 1 1 . shown in Fig. 1 . 

[0086] If the disk is not protected by the disk password, the data can be read out (STEP S22). If so. it is judged 
whether or not the password inputted and stored at the step 811 is authentic, for example, it is judged whether or not 

20 the inputted and stored passwords coincide (STEP S23). 

[0087] If the password is authentic, the data is read out and the password is employed as a decode key for decoding 
(STEP 824). If the password is not authentic, an error is returned (STEP S25). Or the data is decoded as it is, similarly 
to the case where the password is correct illustrated in a dotted line of Fig. 6. In this case, the result of decoding the 
data is usually not correct, and therefore, the decoded data cannot be readable or understandable. 

25 [0088] When realizing as a storage device, this judgment is performed in a firmware of the storage device, for exam- 
ple, the optical magnetic disk controller (ODC) 1 1 shown in Fig. 1 . 

[0089] The second embodiment of the pr^ent invention has a feature to put for practical use more effectively than 
the methods to be considered as shown in Figs. 5 and 6. Two examples according to the second embodiment of the 
present invention, which is improved from the password protect methods shown in Figs. 5 and 6, will be now explained. 
30 [0030] In the first example, a label or root directory of a disk to be accessed at first is stored in a plain text without 
encrypting the whole disk. It is a matter of course that the area for the label or root directory is not subject to a decoding 
processing. 

[0091] Further, if a password a user inputs is not authentic, reading access is not restricted in the root directay area. 
As the result, the user may read out the root directory, regardless of the inputted password, similarly to the case 
r35,;ji explained^ Fig. 3. 

[0092] An operational processing flow chart of this example will be explained in accompanying with Figs. 7 through 
9. This example is realized as a storage device. In Rg. 7. a user inputs a disk password in advance (STEP 830). Then, 
the optical magnetic disk corrtroller (OCD) 1 1 judges whether or not the disk is protected by a password (STEP S31). If 
the disk is protected by the password, tiie inputted password is recorded in. for example, the D-RAM 13 of Fig. 1 (STEP 
40 S32). 

[0093] Next, when reading out the data, the process of the operational flow processing in Fig. 8 is executed. In the 
case of reading access (STEP 840), tiie disk driver judges whether or not tiie storage medium is protected by a pass- 
word (STEP 841). 

[0094] If the storage medium is not protected by a password, data may be read out (STE P 842). If the storage medium 
45 is protected by the password, the required sector is read out (STEP 843). Then, it is judged whether or not the read out 
sector Is in a directory area recorded as a plain text, which is not encrypted (STEP S44). 

[0095] If data is recorded in a plain text, the data can be read out (STEP 842). If data is encrypted, the data is read 
out for decoding (STEP 845). 

[0096] Further, the processes for writing data will be performed according to the flow chart illustrated in Fig. 9. If a 
so user requests to write data (STEP S50), the disk driver stored in the interface section of the computer 2 judges whether 
or not the storage medium is protected by a password (STEP 851). 

[0097] If it is not protected by a password, the data is written (STEP 852). If it is protected by a password, the system 
instructs the user to input the password, and it is judged whether or not the inputted password coincides with a regis- 
tered password (STEP S53). 

55 [0098] Then, if the inputted password does not coincide witii tiie registered password, a writing error is returned. If 
tiie passwords coincide, ttie data is encrypted and is written (STEP 854). 

[0099] An authentic password or data for validity check of the password is written to a reserved area of the disk in 
advance. It is also poss33le to write an authentic password in tiie inside of the storage device, for example, in a non- 
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volatile memory managed by the optical magnetic disk controller (ODC) 11 of Fig. 1 . In this case, a same password may 
be commonly employed tor a plurality of storage disks. 

[01 00] The above-desabed processes are explained for realizing the present invention in a storage device. The proc- 
esses can be also executed in the interface section of a computer connected to the storage device, for example, an 

5 interlace card or device driver. 

[0101] Next, a method where a second password is employed separately from a first password for protecting the 
whole disk will be explained as a second example for protecting to access by employing data encryption. 
[0102] In ttiis embodiment the root directory Is encrypted by employing the second password. Furtiner, a reserved 
area not included in the root directory is provided on a disk, arxJ the second password is encrypted by the first password 

TO to write to the reserved area. The above-described processes are performed when the disk is Initialized. 

[01 03] In the above-described d^inition, the processes will be explained in accompanying with a flow chart shown in 
Fig. 10. A password inputted from the user is received by a disk driver stored in the interface section of the computer 2 
(STEP S60). Then, the disk driver judges whether or not the disk is protected by a password (STEP S61), 
[01 04] If the disk is not protected by a password, the user is authorized to access the whole storage medium, regard- 

}5 less of the password inputted from the user (STEP S62). If the disk is protected by a password, it is judged whether or 
not the inputted password coincides with the first password (STEP S63). In other words, the disk driver verifies whether 
or not the inputted password is authentic as the first password. 

[01 05] In this verification, if the inputted password is invalid as the first password, it is regarded as a second password, 
and the rood directory area is decoded. If the inputted password is authentic as the second password, it is judged 
20 whether or not the decoded password 2 coincides with the inputted password (STEP S64). If it coincides with the input- 
ted password, the user is authorized to read out tiie root directory (STEP S65). If not, the user inhibits access to the 
storage medium (STEP S66). 

[0106] Further, at tiie step S63, if tiie password inputted by the user coincides with tiie password 1 , tiie password 2 
can be obtained by decoding the data written to tiie above-described reserved area according to tiie password 1 . The 
25 root directory is decoded by the second password. Then, the remaining data area is decoded by the password 1 input 
by tiie user to be accessed. As the result, in this case, tiie user is authorized to access tiie whole storage medium 
(STEP S62). 

[0107] Validly check of the passwords 1 and 2 are executed by the internee section of the computer 2 or the disk 
drive on the above-described explanation, but tiie present invention is not restricted to those and it is also possible to 

30 perform tiie validity check by a firmware of the optical magnetic disk controller 1 1 of storage device 1 . 

[0108] A third entxxJiment of the present invention will be now explained. In this embodiment, a range for access con- 
trol is recorded on a disk when formatting the storage medium. At first, an exclusive area for writing control information 
for access control is defined on the storage medium. The exclusive area can be set as an area a file system does not 
administrates, not shown in Fig. 2. tor exarrple. Information illustrated on a table 3 is transmitted from the domputer 2 

35 , and is written to tiie optical magnetic disk controller 1 1 . 



[TABLE 3] 



NAME 


LENGTH 


PURPOSE 


RESPECIFICATION 


WRPW 


16 B 


PASSWORD FOR AUTHORIZING TO WRITE TO A 
MEDIUM 


ANYTIME 


RDPW 


16 B 


PASSWORD FOR AUTORIZING TO READ OUT 


RD2P0S 


4B 


UPPER LEVEL OF LBN PD2PW PERMITS TO READ 


BY FORMAT-UNIT 


RD2PW 


12 B 


AUTHORIZING TO READ FROM LBNO TO RD2P0S 
OF BAND 0, IN WHICH THERE IS A DIRECTORY 
AREA IN GENERAL 


If RDPW is specified, data cannot be read from and written to. 
If WRPW is specified, data cannot be written to. 
RD2PW is a password for showing only a directory area. 



[01 09] In a case of accessing the data, a logical sector number usually specified is not allocated to tiie exclusive area 
55 to which tiie information indicated in the table 3 is written. Accordingly, normal data access usually executed by speci- 
fying a sector number from a computer side, such as an application program or device driver, cannot be executed. 
[01 10] In here, WRPW (write or read password) and RDPW (read password) shown in the table 3 are used for autiior- 
izing the user to write to and read from ttie storage medium, respectively. For example, when the WRPW coincides. 
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both the data writing and reading can be permitled, and when the RDP W is coinddent, only data reading can be author- 
iz d. 

[011 1] RD2PW and RD2P0S are related to the present invention, and the password RD2PW is to control access to 
an area from the sector number 0 to a sector shown by the RD2P0S. 

[0112] It is also possible to entploy not only a method by which one value of RD2P0S is specified, but also a method 
by which two values, for example, RD2P0S_1 and RD2POS_2, are written to the exdusivety reserved area for access 
control, 60 that sectors from RD2P0S_1 to RD2POS_2 can be read out if the RD2PW is coincident. 
[0113] It is of course possible to specify a sector range by more plural values. A command shown in a table 4 is 
acc^taWe by a firmware of the optical magnetic disk controller 11 in the storage device 1 to access from the computer 
2 to this area or to compare the password written to the area with a password the user specifies. 



[TABLE 4] 



COMMAND NAME 


PARAMETER 


MEANING AND PURPOSE 


WRITE.PW 


TYPE PASSWORD 


WRPW, RDPW and RD2PW are changed by specifying the type 


SET^USPW 


(TYPE) PASSWORD 


A password a user inputs is conveyed to a firmware 



[0114] In here. WRITE_PW of the table 4 is a command for spedfying a password to the exclusive area for access 
control. The firmware of the optical magnetic disk controller 11 receives this command under the condition where the 
user is authorized to write to the storage medium and a password is set on a corresponding location of the exclusive 
area for access control shown in the table 3. 

[Oil 5] SET_USPW is a command for conveying the password the user inputs for using the storage medium in which 
a password is set for access control to the f irnrrware of the optical magnetic disk controller 1 1 in the storage device 1 . 
[0116] The firmware compares the password specified by a parameter of SET_USPW, i.e.. a SCSI command, with 
WRPW, RDPW or RD2PW written in the exdusive area for access contrd of the storage medium according to a type 
specified by the parameter. If the passwords coincide, access contrd is executed accading to meanings of the pass- 
words. 

[Oil 7] Further, a type of the password may not be shown In a parameter as an example of SET__USPW. In this case, 
the firmware compares password character rows spedf ied by SET_USPW with WRPW. RDPW and RD2PW written in 
the exclusive area for access control of the storage medium in this order, and a first cdnddent password is considered 
as specified. 

[0118] A case where the password type is not spedfied by the SET_USPW command will be later explained. How- 
. ever^ nothing is written to the storage medium by the SET_USPW command. 

[0119] Further, when a condition for authorizing access to the storage medium is changed by specifying the 
SET_USPW command, this condition is kept until the medium is removed, a power of the storage device 1 is turned off 
or reset, or a WRITE_PW or new SWT_USPW command is issued. 
[0120] The above-described processes will be now explained in more detail. 

[0121] In here, a condition for authorizing access to the storage medium is shown in the following table 5. 



[TABLE 51 



CONDITION NAME 


CONTENTS 


NAC 


DISABUNG ALL ACCESSES EXCEPT INPUTTING A PASSWORD (SETUSPW). 


BOR 


ENABLING TO READ FROM LBNO TO RD2P0S. INHIBITING WRITE TO WHOLE 
MEDIUM. 


RDE 


ENABLING ONLY TO READ WHOLE MEDIUM. WP NOTCH IS REGAREDED AS ON. 


RWE 


ENABLING TO READ AND WRITE WHOLE MEDIUM. NORMAL ACCESS. IF WP NOTCH 
IS ON. DISABLING TO WRITE. 



[0122] Differences of operations of representative commarxls according to each condition for authorizing access are 
shown in the table 5 by taking a SCSI command as an example. 
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[TABLE 6| 



Status 


Test Unit Ready 


Read 


Erase/Write 


FormaLUnit 


RWE 


ok 


ok 


ok 


ok 


RDE 


ok 


ok 


Regarded as wr-protected to distin- 
gui^ by a detail code 


Enabling by using an exdusive com- 
mand interface 


BOR 


ok 




NAG 


not ready **2 



[0123] Further, of the table 6 means readable only within a LBA range spedfled on the medium. Therefore, when 
accessing the area other than the specified LBA range, a read error is returned. 

[0124] In ^2, it is distinguished from a situation where the medium is not actually inserted Is distinguished by a detail 
code. 

[0125] In **3, only when a flag provided on the firmware is ON, Format_Unit command is received by an exclusive 
command interface. The flag is set by a sendjdiag command. This flag is cleared (being OFF) each when supplying a 
power, initializing a firmware of a device, and inserting and removing a storage medium. 

[0126] Operations when inserting the medium and supplying a power of the storage device 1 will be now explained. 
[0127] When a power is supplied, the storage device 1 initializes a condition by a firmware of the optical magnetic disk 
controller 1 1 . After that, it is judged whether or not the storage medium is inserted. If inserted, the medium is exchanged 
as if the storage medium is removed or inserted at that time. 

[0128] The firmware provided on optical magnetic disk controller 11 of the storage device 1 judges what condition the 
password of the storage medium is when inserting the storage medium, i.e., judges what password is set on the storage 
device. When the password area is all zero, it is regarded as the password is not set. 

[0129] A condition for authorizing access to the storage device 1 is set based on the result of this judgment according 
to the following table 7. 



[TABLE 7] 





WRPW 


RDPW 


RD2PW 


Status Name 


Writing 


Reading 


Reading a directory 


1 


0 


0 


0 


RWE 


enable 


enat)le 


enable 


2 


0 


0 


1 








enable 


3 


0 


1 


0 


NAG 


disable 


disable 


disable (*) 


4 


0 


1 


1 








disable 


5 


1 


0 


0 


RDE 


disable 


enable 


enable 


6 


1 


0 


1 








enable 


7 


1 


1 


0 


NAG 


disable 


disable 


disable (*) 


8 


1 


1 


1 








disable 


1 A password is set. 
0 A password is not set. 



[0130] Further, a password informed from the computer 2 to the storage device 1 is Ignored and all data accesses 
can not be possible until the condition settings are finished. 

[0131] In the table 7, RD2PW has its meaning in a condition where the RDPW is set. if the RDPW is not set, there is 
no influence depending on existence of RD2PW Additionally, in the table 7, this setting is considered as that a means 
for authorizing to read only to a directory section is not prepared when RD2PW is not set, and therefore, when RD2PW 
is not set, it follows only tiie setting of the RDPW. 

[0132] On tiie contrary, it is possible to set as reading from the directory section is always allowed if the RD2PW is 
not set. In tiie later case, if the RDPW is set, and the RD2PW is not set, the condition is set as BOR that means enabling 
to read only the directory section, not NAG (disabling to access)(two positions with * marks shown In the table 7 become 
enable). 



11 



r 

EP0 919 904A2 

[0133] Acoording to the inrtial settings, even if the password is not intbrnied from the computer 2, the storage devnce 
1 has a function for normally operating the storage device, similarly to the conventional storage device. 
[0134] A process for changing a condition for authorizing access according to the informed password by the storage 
device 1 will be further explained. 
5 [0135] TTie computer 2 employing the storage device 1 informs a password to the storage device 1 by using a SCSI 
command before employing tiie inserted storage medium. In this embodiment, the command for Informing the pass- 
word is now considered as a SETUSPW command. 

[0136] If the computer 2 infonms the password to the storage device 1 1n the condition where the storage medium is 
inserted, the storage device 1 executes processing for confirming a password by using a password character row spec- 
10 ified by the parameter of tiie SETUSPW command according to the operational flow charts shown in Figs. 1 1 to 13 
described later. 

[0137] If the password coincides with either one of the passwords recorded on the medium, the condition for author- 
izing to access is changed according to the result When the SETUPSPW command is sent on a condition where tiie 
medium is not inserted, the optical magnetic disk controller 1 1 of the storage device 1 stores the sent password in a 
15 working area of the firmwara 

[0138] After tiiat. tine process for confirming a password by using the saved password is executed when the storage 
medium is inserted. When the SETUP command is issued repeatedly, tiie firmware clears the a previously registered 
password, if it exists, and executes the above-desaibed process. 

[0139] Then, when a certain access has been authorized according to the previously registered password, the author- 
20 ization of the access is cancelled before executing the process for confirming a password. When the storage is not 
inserted, and the SETUP command is repeatedly issued, the saved password Is replaced and it is canceled to authorize 
access as to be NAC for inhibiting to read and write in all. 

[0140] Addftionalty. the user can inhibit to access temporally by specifying a v\^ong password intentionally 
[0141] Processes for changing the corKiition for authorizing access by tiie storage device 1 according to a password 
25 informed from the computer 2 will be further explained according to operational flow charts shown in Figs. 11 to 13 cor- 
responding to the above-described table 7. 

[0142] In Fig. 1 1 , when a password WRPW tor authorizing access for reading from or writing to the storage medium 
is specified (STEP S90), it is judged whether or not USPW and WRPW are coincident (STEP S91). 
[0143] When the USPW and WRPW are coincident, tfie condition is set as RWE tiiat means to enable both reading 
30 and writing accesses (STEP S92). 

[0144] If not, it is further judged whether or not the RDPW is set on tiie storage medium (STEP S93). When RDPW 
is not set. the condition is set as RDE that means to enable only reading access corresponding to conditions 5 and 6 of 
the table 7 (STEP S94). 

[0145] If the RDPW is set. it is further judged whetiier or not the USPW and RDPW coincide with each other (STEP 
35 S95)- Jf they coincide, the condition is set as RDE tfiat means to enable only reading access (STEP S94). 

[0146] If not. it is judged whether or not the RD2PW is specified to tiie medium (STEP S96). If not. tiie condition is 
set as NAC that means to disable all accesses (STEP S97). 

[0147] On the contrary, when the RD2PW is specified to the medium, it is judged whether or not the USPW and 
RD2PW coincide with each other. If they coincide, it becomes possible to read the BOR directory (STEP S99). If not, 
40 the condition is set as NAG tiiat means to dissemble all accesses (STEP S97). 

[0148] A process in the case where WRPW is not set and RDPW is set (con-esponding to 3 and 4 of the table 7) will 
be now explained in Fig. 12. 

[0149] If the WRPW is not set and RDPW is set(STEP SI 00), it is judged whether or not tiie USPW coincides with 
tiie RDPW (STEP S101). On this judgment, when the USPW coincides with the RDPW, the condition is set as RWE 
45 that means to enable reading and writing (STEP S1 02). 

[0150] If not, it is judged whether or not the RD2PW is set on the medium (STEP SI 03). If the RD2PW is set to the 
medium, it is judged whether or not tiie USPW coincides witti the RD2PW, corresponding to a condition 4 of Fig. 7 
(STEPS104), 

[0151] If ttie USPW coincides with tiie RD2PW. it becomes possible to read the BOR directory (STEP S105). On the 
50 confrary, if not control is returned to step S103. Then, if tiie RD2PW is not set to the medium, the condition is set as 
NAC (STEP S106). 

[0152] Then, If both WRPW and RDPW are not set (STEP Si 10) con-esponding to conditions 1 and 2 of Fig. 7, the 
condition Is set as RWE that means to enable reading and writing (STEP S1 1 1). 

[0153] As the ennbodiments of the present invention are explained in accompanying with the attached drawings, it is 
55 a feature of the present invention that a user is autiiorized to read data from a part of a directory area on a storage 
medium even if a user can specify a password given to tiie storage medium. 

[0154] Accordingly the user can know an outline of information recorded in a storage medium without authorizing 
access to a whole disk. Thereby, it is possible to prevent the user from accessing to secret information carelessly. Fur- 
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ther. it is realized to restrlctedly adrrtinistrate a password for authorizing access to the whole dIsK and further, to easily 
administrate tfie passvrard for accessing the outline without conplex operations. 

Claims 

1. A data protection method tor a removable storage medium, comprising the steps of: 

verif/ing a password; 

authorizing access to the whole removable storage medium if the password is authentic on the verification; and 
authorizing only access to a part of the removable storage medium to read out data if the password is not 
authentic on the verification. 

2. The protection method according to claim 1 , 

wherein the password verification step includes a first verification for verifying whether or not the password 
is a first password and a second verification for verifying whether or not the password is a second password, 

access to the whole removable storage medium Is authorized if the password is authentic as the first password 
on the first verification; 

access to only a part of the removable storage medium to read out data if the password is authentic as the sec- 
ond password on the second verification. 

3. The protection method according to claim 2. 

wherein the first and second passwords are transmitted from a computer before accessing to the storage 
medium, the first password allows to read and write data, and further, the second password allows only to read out 
the data. 

4. The protection method according to claim 1 . 

wherein first, second and third passwords are set in advance as the password for controlling access to the 
removable storage medium in an exclusive area of the removable storage medium, which a file system does not 
administrate, 

data can be written to and read out from the whole removable storage medium when a password specified by 
a command transmitted from a computer on the password verification step when employing the removable 
storage medium coincides with the first password for authorizing to write and read out among the passwords 
set in advance. 

data can be read out from the whole removable storage medium when the password specified by the command 
coincides with the second password for authorizing to read among the passwords set in advance; and 
data can be read out from an authorized range for reading out from the renx>vable storage medium when the 
password specified by the command coincides with the third password for specifying the authorized range 
among the passwords set in advance. 

5. The data protection method according to claim 1 , 

wherein tiie part of the removable storage medium includes a label given to the removable storage medium, 
which is an administrative area of the removable storage medium or a directory area. 

6. The data protection method according to claim 1 . 

wherein the part of the removable storage medium is a range obtained by specifying a directory area deter- 
mined according to a capacity and a logical fbmriat type of the removable storage medium with start and end logical 
block addresses. 

7. The data protection metiiod according to claim 1 , 

wherein the part of the removable storage medium is recorded in a plain text, the other part of the remo^^Ie 
storage medium is enaypted and recorded, and tiie data recorded in ttie plain text only in the part of the removable 
storage medium can be read out when the password is not authentic on the verification. 

8. A data protection method for a removable storage medium by encrypting and decoding data with the use of a pass- 
word, comprising the steps of: 
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verifying whether a password specified before accessing to a removable storage medium is authentic as a first 
password; 

enaypting a second password with the first password and recording the encrypted second password in a spec- 
ified area of the removable storage medium; 

enaypting and decoding the part of the removable storage medium with the second password, and encrypting 
and decoding other all areas of the removable storage medium with the first password; 
decoding the erxrypted second password so as to enable to access the whole removable storage medium with 
the second password, when the password specified before accessing the removable storage medium Is 
authentic as the first password; and 

using the password specified before accessing the storage medium as the second password when specified 
password is not authentic as the first password so as to enable to read out from only the part of the removable 
storage medium. 

9. A storage device employing a removable storage medium, which can be connected to a computer, comprising: 

a verifying means for verifying whether or not a password informed from a computer to access a removable 
storage medium is authentic; and 

an access control means for permitting access the whole removable storage medium when the password is 
authentic on the verification in the verification means and permitting only to read from the part of the removable 
storage medium when the password is not authentic according on the verification in the verification means. 

10. The storage device according to claim 9, 

wherein the verifying means verifies whether or not a password informed from a computer to access a 
removable storage medium is authentic as a first or second password; and 

the control means permits access to the whole removable storage medium when the first password is authentic 
on the verification in the verifying means permitting to read out from the part of the removable storage medium 
when the first password is not authentic and the second password is autherrtic on the verification in the verify- 
ing means. 

11. The storage device according to claim 9, 

wherein the part of the removable storage medium includes a label given to the removable storage medium, 
which is an administrative area of the removable storage medium or a directory area. 

12. The storage device according to daim 9, 

wherein the part of the removable storage medium is a range obtained by specifying a directory area deter- 
mined based on a capacity and a logical format type of the removable storage medium with start and end logical 
block addresses. 

13. The storage device according to claim 9. further comprising: 

a circuit controller for controlling to write and read data to and from a removable storage medium by a firmware, 
and a mechanical controller controlled by the circuit controller for writing and reading data to and from the 
removable storage medium, 

wherein the circuit controller sets first, second and third passwords in advance for controlling access to the 
removable storage medium in an exclusive area of the removable storage medium, which a file system does 
not administrate, 

when a password specified by a command transmitted from a computer when employing the removable stor- 
age medium coincides with the first password for permitting to write and read out anK>ng the passwords set in 
advance, data can be written and read out to and from the whole removable storage medium, 
when the password specified by the command coincides with the second password for authorizing to read out 
among the passwords set in advance, data can be read out from the whole rennovable storage medium, and 
further, 

when the password specified by the command coincides with the third passA/ord for specrfying the authorized 
range among the passwords set in advance, data can be read out from the autiiorized range for reading out 

14. The storage devic according t daim 13, 

wherein the authorized range for permitting t read of the third password for permitting to read from the part 
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set in the exdusive area of the removable storage medium is specified according to start and end logical block 
addresses. 

1 5. A storage system including a computer with an interface section, in which a device driver is installed, and a storage 
s device connected to the computer, 

wherein the device driver controls to record data in a plain text in a part of a removable storage medium, to 
encrypt and record the data in the other part of the removable storage medium, and to verify a password, and ena- 
ble to decode the encrypted data when the password is authentic on the verification and to read out the data 
recorded in a plain text only in the part of the removable storage medium on the verification. 

10 

16. The storage system according to dalm 15. 

wherein the password Includes first and second passwords, the device driver controls to verify whether or 
not a password specified before accessing a removat)le storage medium provided at the storage device is authentic 
as a first password, to encrypt a second password with the first password, to record the encrypted second pass- 
is word In the part of the removable storage medium, to encrypt and decode the part of the removable storage 
medium by the second password, and to encrypt and decode the other part of the removable storage medium by 
the first password, and enables to access the whole removable storage medium by decoding the encrypted second 
password by the specified pas^ord when verified authentic as the first password, and to access only the part of 
the removable storage medium to read out data by using the specified password as the second password when ver- 
20 ffied not authentic as the first password. 

17. The storage system according to claim 15. 

wherein the part of the removable storage medium includes a label given to the removable storage medium, 
which is an administrative area of the removable storage medium, or a directory area. 

25 

18. The storage system according to claim 16. 

wherein the part of the removable storage medium includes a label given to the removable storage medium, 
which is an administrative area of the removable storage medium, or a directory area. 

30 1 9. The storage system according to claim 1 5. 

wherein the part of the removable storage medium is a range for specifying an area including a directory 
determined based on a capacity and a logical format type of the removable storage medium by start and end logical 
block addresses. 

35 20. The storage system according to claim 16. 

wherein the part of the removable storage medium is a range for specifying an area including a directory 
determined based on a capacity and a logical format type of the removable storage medium by start and end logical 
block addresses. 
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FIG. 2 
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FIG. 4 
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FIG. 5 
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FIG. 6 
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FIG. 7 



Inputting a password 



S30 




S31 



NO 



YES 



Recording the inputted 
password 



S32 



22 



EP0 919 904A2 



FIG. 8 
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FIG. 9 
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FIG. 10 
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FIG. 11 
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FIG. 12 
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FIG. 13 
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